v0.19.0
π Toolhive v0.19.0 is live!
This release introduces webhook CLI configuration, Skills API v0.1 endpoints, multi-client skill installation, and Cursor client support β alongside several CRD cleanup changes and enterprise config fixes. Three breaking changes require attention before upgrading.
β οΈ Breaking Changes
remoteURL/externalURLJSON tags renamed to camelCase β Existing MCPRemoteProxy and MCPServerEntry resources in etcd will silently lose theirremoteUrlvalue after the CRD upgrade. Re-apply all affected manifests with the new field names. (migration guide)- Skills install API:
clientfield replaced byclientsβ API consumers sending"client"will get silent misbehavior; CLI users of--clientwill get an unknown flag error. Update to"clients": [...](API) or--clients(CLI). (migration guide) enforceServersremoved from MCPRegistry β Manifests withenforceServerswill fail validation. Remove the field before upgrading. This feature was non-functional since v0.6.0, so no behavioral change. (migration guide)
Migration guide: remoteURL / externalURL rename
Who is affected: All MCPRemoteProxy and MCPServerEntry users.
Risk: This is the highest-risk change in this release. After the CRD upgrade, existing resources stored in etcd still contain the old remoteURL key. The controller deserializes this as an empty string (since the JSON tag is now remoteUrl), causing reconciliation to fail with "remoteUrl is required for remote proxy".
Before
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPRemoteProxy
metadata:
name: my-proxy
spec:
remoteURL: https://mcp.example.comAfter
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPRemoteProxy
metadata:
name: my-proxy
spec:
remoteUrl: https://mcp.example.comField renames
| CRD | Old field | New field |
|---|---|---|
MCPRemoteProxy .spec |
remoteURL |
remoteUrl |
MCPRemoteProxy .status |
externalURL |
externalUrl |
MCPServerEntry .spec |
remoteURL |
remoteUrl |
Migration steps
- Update the CRD manifests β install the new CRD definitions first.
- Update all MCPRemoteProxy and MCPServerEntry manifests β find/replace
remoteURL:withremoteUrl:. - Re-apply every affected resource β this rewrites the etcd data with the correct key. Simply waiting for reconciliation will not help; the old key is silently ignored.
- Update any JSONPath queries or tooling β e.g.,
kubectl get mcprp -o jsonpath='{.spec.remoteUrl}'.
Migration guide: Skills install API and CLI
Who is affected: Any scripts, CI pipelines, or API clients calling the skills install endpoint or using thv skills install --client.
API change
The request body client (string) field is replaced by clients (string array). The old client field is silently ignored β if sent alone, the server treats clients as empty and installs to all available clients.
// Before
{"client": "claude-code"}
// After
{"clients": ["claude-code"]}CLI change
The --client flag is removed. Use --clients (accepts comma-separated values) or --all-clients.
# Before
thv skills install myskill --client claude-code
# After
thv skills install myskill --clients claude-code
# Install to all clients
thv skills install myskill --all-clientsMigration steps
- API consumers β update request bodies from
"client": "..."to"clients": ["..."]. - CLI users β replace
--clientwith--clientsin all scripts and commands. - Multi-client installs β use
--clients claude-code,cursoror--all-clientsto target multiple clients in one operation.
PR: #4732
Migration guide: enforceServers removal
Who is affected: MCPRegistry users with enforceServers in their manifests. Note: this feature has been silently non-functional since PR #2568 removed the backing data sources β no existing deployment was getting actual enforcement.
Before
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPRegistry
metadata:
name: my-registry
spec:
enforceServers: true
configYAML: |
...After
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPRegistry
metadata:
name: my-registry
spec:
configYAML: |
...Migration steps
- Remove
enforceServersfrom all MCPRegistry manifests (both in-cluster and in GitOps repos). - Remove any automation or alerting that watches the
ImageValidatedcondition β it will no longer appear in status. - Re-apply or upgrade the CRD manifest before upgrading the operator.
π Deprecations
backendAuthType: external_auth_config_refdeprecated in favour ofexternalAuthConfigRefon VirtualMCPServer β the old snake_case value is still accepted but will be removed in a future release (#4563)spec.telemetry(inline) on MCPRemoteProxy deprecated in favour ofspec.telemetryConfigRefreferencing a shared MCPTelemetryConfig resource β setting both is rejected by CEL validation (#4719)
π New Features
thv runnow supports webhook-based tool call authorization via--webhook-url,--webhook-timeout, and--webhook-failure-policyflags (#4410)- Two new Skills API v0.1 endpoints for browsing and fetching skills from the registry (#4753)
thv skills installnow supports installing to multiple clients in a single command with--clientsor--all-clients, with atomic rollback on failure (#4732)- Cursor is now recognized as a skill-supporting client (#4762)
- MCPRemoteProxy now supports
telemetryConfigReffor shared telemetry configuration, bringing it to parity with MCPServer (#4719)
π Bug Fixes
- Proxy now returns 503 instead of 401 when OAuth tokens are expired, preventing MCP clients from entering a broken OAuth discovery loop (#4722)
- Three gaps that allowed the
non_registry_serverspolicy to be bypassed when running remote MCP servers by URL are now enforced (#4752) - Webhook 422 responses are now treated as unconditional deny regardless of
failurePolicysetting (#4703) runtime_configAPI now validates inputs at the boundary and keeps merge behavior scoped to the API layer (#4435)- Enterprise config provider is now consistently respected in
thv run, registry routes, and HTTP handler setup (#4740, #4754, #4751, #4755) ValidatingCachenow supports bounded LRU capacity, preventing unbounded memory growth in long-running deployments (#4731)
π§Ή Misc
- Skills system architecture documentation added (#4758, #4759)
- Integration tests added for
authServerRefon MCPServer and MCPRemoteProxy (#4708) - Implementation plan section added to PR template (#4737)
- Flaky test fixes and test stability improvements (#4739, #4745)
- Dependency updates:
toolhive-catalogv0.20260413.0,go-containerregistryv0.21.5,golang.org/x/exp/jsonrpc2746e56f (#4666, #4757, #4750)
Full commit log
What's Changed
- Fix runtime_config API semantics and validation by @slyt3 in #4435
- Fix flaky TestForEachStep_ErrorAbort by @jerm-dro in #4739
- Fix GetDefaultProvider bypassing registered config factory by @reyortiz3 in #4740
- Add deflake skill for finding and fixing flaky tests by @jerm-dro in #4746
- Fix stale config in registry routes and WorkloadService by @reyortiz3 in #4751
- Enforce non-registry-server policy gate for remote URL workloads by @reyortiz3 in #4752
- Add v0.1 skills API endpoints by @rdimitrov in #4753
- honor webhook http 422 as unconditional deny by @Sanskarzz in #4703
- Fix NewHandler using config.NewDefaultProvider instead of config.NewProvider by @reyortiz3 in #4754
- Update golang.org/x/exp/jsonrpc2 digest to 746e56f by @renovate[bot] in #4750
- Update anthropics/claude-code-action digest to b47fd72 by @renovate[bot] in #4749
- Update module github.com/google/go-containerregistry to v0.21.5 by @renovate[bot] in #4757
- Wait for running state before deleting in lifecycle E2E test by @jerm-dro in #4745
- Add skills system architecture documentation by @JAORMX in #4758
- Support multi-client and all-clients skill installation by @samuv in #4732
- Add LRU capacity to ValidatingCache, remove sentinel pattern, add storage Update by @yrobla in #4731
- Use cfg.NewProvider() in run flags to respect enterprise provider factory by @reyortiz3 in #4755
- Return 503 for expired proxy tokens by @gkatz2 in #4722
- Add Cursor as a skill-supporting client by @samuv in #4762
- Webhook Middleware Phase 4: CLI configuration support by @Sanskarzz in #4410
- Fix accuracy issues in skills architecture documentation by @rdimitrov in #4759
- Update module github.com/stacklok/toolhive-catalog to v0.20260413.0 by @renovate[bot] in #4666
- Add TelemetryConfigRef support to MCPRemoteProxy by @ChrisJBurns in #4719
- Rename remoteURL and externalURL JSON tags to standard camelCase by @ChrisJBurns in #4775
- Add implementation plan section to PR template by @jerm-dro in #4737
- fix(operator): rename BackendAuthType enum value to camelCase by @tmchow in #4563
- Add integration tests for authServerRef on MCPServer and MCPRemoteProxy by @tgrunnagle in #4708
- Remove enforceServers and image validation from MCPRegistry by @ChrisJBurns in #4776
Full Changelog: v0.18.0...v0.19.0
π Full changelog: v0.18.0...v0.19.0